Saas

SaaS and Cloud Services

Regulatory and commercial legal support

Software, cloud and platform services now underpin almost every aspect of modern digital infrastructure. Organisations depend on SaaS, CCaaS, PaaS and cloud environments to deliver core business functions, support customer communications, manage data at scale, and deploy AI-driven capabilities. As these systems evolve, they increasingly blend software functionality, communications elements, data governance, and outsourced operational risk.

This convergence means that SaaS and cloud arrangements are rarely just “IT contracts”. They must address complex regulatory frameworks, including data protection, AI governance, telecoms regulation, security and resilience requirements, and sector-specific compliance obligations. Providers and customers must also manage issues such as multi-vendor architecture, subcontracting chains, service resilience, cross-border data flows, and cloud exit or portability.

bratby.law advises SaaS, CCaaS, PaaS and cloud providers, enterprise customers, digital infrastructure operators and investors on the regulatory and commercial aspects of designing, procuring and scaling digital services. The firm’s experience spans product development, platform commercialisation, regulatory perimeter analysis, privacy and AI governance, risk allocation, and dispute avoidance. Our advice is grounded in deep sector expertise and aligns commercial objectives with regulatory, operational and contractual requirements.

Our experience


The firm combines deep technology transactions expertise with regulatory insight and data governance experience. This enables clear, senior-level advice on cloud architecture, operational risk and commercial implementation. Our work spans SaaS product development, CCaaS platforms, infrastructure-as-a-service arrangements and hybrid cloud deployments.

Key issues for clients

  • Structuring and contracting: drafting and negotiating agreements, service level commitments and end-user terms.
  • Data and AI compliance: ensuring solutions align with UK GDPR, Data Protection Act 2018 requirements and emerging AI governance obligations.
  • Regulatory and telecoms issues: identifying whether cloud or communications functionality triggers Ofcom, NIS2 or other telecoms licensing obligations.
  • Security and resilience: reviewing architecture, subcontracting models and incident-response frameworks.
  • Commercial and procurement strategy: aligning pricing, performance, risk allocation and contract governance with commercial and operational outcomes.

How we help

  • Drafting and negotiating cloud, SaaS and platform agreements tailored to commercial models and operational requirements.
  • Advising on regulatory perimeter questions where software services intersect with communications functionality or telecoms regulation.
  • Designing data protection and AI governance frameworks for cloud-based products and services.
  • Supporting incident-response planning, resilience obligations and supplier-management frameworks.
  • Providing sector-specific risk analysis for investment, procurement and product rollout.

How bratby.law helps

We advise SaaS providers, cloud platforms, telecoms operators deploying cloud services, and enterprise customers on the regulatory, data protection, and commercial aspects of cloud and SaaS agreements.

  • Drafting and negotiating SaaS subscription agreements, cloud services contracts, and platform terms
  • Data protection compliance for cloud deployments, including international transfer mechanisms and UK GDPR Article 28 processor agreements
  • Advising on the interaction between telecoms regulation and cloud services where operators provide bundled offerings
  • Service level agreements, uptime commitments, and liability frameworks for mission-critical cloud services
  • Exit and migration provisions, data portability, and vendor lock-in protections
  • Regulatory due diligence on SaaS and cloud acquisitions
  • FCA and PRA outsourcing requirements for regulated firms using cloud infrastructure
Book a call

Related transactions pages

See also our other transactions pages:

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

  • Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
  • The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
  • Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology
Chambers and partners accreditation
Legal 500 accreditation

Related pages

International cloud standards and frameworks

See also: UK GDPR and Regulatory Compliance and Sector-Specific Data Protection.

Need help with SaaS or cloud?

Book a call

What clients say about bratby.law

  • “…one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in.”

    “I worked with Rob over many years whilst I was at Orange. He is one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in. Most notably he provided first class support to me and my team on a high profile / high value joint venture network sharing deal. His ability to see both the detail and the bigger strategic picture were enormously helpful.”
    Amanda Doyle
    (Former) General Counsel, Orange UK

  • “I would highly recommend Rob and his team.”

    “I have had the pleasure of working with Rob now on a number of occasions and engagements with clients. Rob is one of the most knowledgeable people I have come across in the Telecommunications industry, both in his comprehensive understanding of the law for various countries and in the application of this law and what it means for Operators. This is complemented by his generosity with sharing his knowledge, and the friendly style with which he works. I would highly recommend Rob and his team.”
    Nick White
    (Former) Deloitte

  • “I would recommend Rob for any major Telecoms project”

    “I worked with Rob to introduce One Touch Switching for broadband and fixed voice, which launched successfully with almost two million customers using the service to date. Rob is a first class Legal Counsel with exceptional legal and regulatory knowledge enabling him to give insightful strategic guidance to the ExCo and the Board. He is highly trusted by Directors and easy to work with. I would recommend Rob for any major Telecoms project.”
    Toby Lovell
    (Former) Chief of Staff, The One Touch Switching Company

Frequently asked questions

What legal frameworks apply to SaaS and cloud services in the UK?

SaaS and cloud arrangements are governed primarily by contract law, but they are shaped by several regulatory frameworks: UK GDPR, the Data Protection Act 2018, sector-specific regulatory requirements, the Online Safety Act (where platforms are in scope), telecoms regulation where communications functionality is offered, and security requirements informed by NCSC guidance. Cross-border services may also trigger EU GDPR, the EU AI Act and ENISA cloud certification considerations.

Do SaaS providers ever fall within telecoms regulation?

Yes. Where a SaaS or CCaaS platform includes or underpins electronic communications functionality, elements may fall within Ofcom’s regulatory perimeter. This includes services that allocate numbers, route calls, or provide messaging or communications features at scale. Proper analysis of the General Conditions and related guidance is essential to avoid inadvertent non-compliance.

What are the key contractual risks in SaaS and cloud agreements?

Key issues include service definition, uptime and availability, support models, subcontracting and supply-chain transparency, security and resilience commitments, data-processing terms, limitation of liability, exit and portability, and disaster-recovery provisions. The balance between commercial flexibility and regulatory accountability is often central to negotiation.

What should organisations consider when transferring personal data into the cloud?

Organisations must ensure UK GDPR and DPA 2018 compliance, including a clear legal basis, controller-processor allocation, data-processing terms, security measures, records of processing and, where relevant, international transfer mechanisms. Continuous monitoring and supplier governance are required where processing is ongoing, dynamic or high-risk.

How do AI governance obligations interact with SaaS and cloud deployments?

Cloud environments frequently support AI models, inference services or automated decision-making. Providers and customers should assess how model development, data inputs, transparency, testing, bias mitigation, and monitoring obligations interact with cloud architecture. Emerging UK guidance and the EU AI Act impose additional governance expectations on providers and deployers of AI systems.

What due diligence should customers undertake when procuring SaaS or cloud solutions?

Typical assessments include regulatory perimeter checks, data-protection compliance, security controls aligned to NCSC and ISO/IEC 27000-series standards, operational resilience, supplier financial stability, service architecture, service levels, roadmap and end-of-life policies, and exit or transition planning.

Do cloud providers need to support data portability and exit?

Yes. Portability, data extraction, transition assistance and clear exit pathways are essential, both legally and commercially. In some cases, these are mandated by regulatory frameworks (e.g. EU free flow of non-personal data). Even where not required by law, exit clarity is a key risk-management concern for customers.

How can bratby.law help?

The firm provides specialist advice on drafting and negotiating SaaS and cloud contracts, analysing regulatory perimeters, designing UK GDPR-compliant data-processing frameworks, supporting AI governance, advising on security and resilience, and assisting with procurement, risk allocation and supplier governance. Advice is partner-led and aligned to commercial and operational priorities.

Saas

SaaS and Cloud Services

Regulatory and commercial legal support